Google SSO
Single sign on using the user's Google identification is in the sole domain of the IAM system and has nothing to do with the CUE User Manager integration. If the IAM system is set up to use Google OIDC login , it will do so regardless of what CUE User Manager tells it.
That said, many IAMs, like Gluu, will support users logging in using either an AD user or a Google user. This means it's possible to separate users, for instance, having in-house editorial users in Active Directory, while freelancers use their Google login.
When the user logs in through Google SSO, a (shadow) user is created
inside the IAM system with a link to the Google identity, e.g. in Gluu,
the LDAP entry for the user logged in over Google OIDC contains an
attribute like oxExternalId=gplus:4112343241234
.
Before this user can do anything in
CUE User Manager
it must be assigned groups matching the newsroom publication mapping
configuration that you've configured in
/etc/escenic/user-manager/user-manager.yaml
.
CUE User Manager
uses this to create the appropriate user in
CUE Content Store
with roles granting it permissions to do something.
How these groups are added is in the realm of the IAM system.
Preferably, the IAM system allows the integrator to hook onto the IAM
system's user creation process and add the necessary groups immediately
after the user logs in through Google, ensuring a smooth single sign on
experience.